Skip to content

DISA STIG for Red Hat Enterprise Linux 8

Rules and Groups employed by this XCCDF Profile

  • Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems

    Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, th...
    Group
  • Enable NX or XD Support in the BIOS

    Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. Th...
    Rule Medium Severity
  • Memory Poisoning

    Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of info...
    Group
  • Enable page allocator poisoning

    To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. T...
    Rule Medium Severity
  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug...
    Rule Medium Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
  • Install policycoreutils Package

    The policycoreutils package can be installed with the following command:
    $ sudo yum install policycoreutils
    Rule Low Severity
  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...
    Rule Medium Severity
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
  • Map System Users To The Appropriate SELinux Role

    Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering...
    Rule Medium Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterpris...
    Group
  • Base Services

    This section addresses the base services that are installed on a Red Hat Enterprise Linux 8 default installation which are not covered in other sec...
    Group
  • Uninstall Automatic Bug Reporting Tool (abrt)

    The Automatic Bug Reporting Tool (<code>abrt</code>) collects and reports crash data when an application crash is detected. Using a variety of plug...
    Rule Medium Severity
  • Disable KDump Kernel Crash Analyzer (kdump)

    The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("captu...
    Rule Medium Severity
  • Application Whitelisting Daemon

    Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputatio...
    Group
  • Install fapolicyd Package

    The fapolicyd package can be installed with the following command:
    $ sudo yum install fapolicyd
    Rule Medium Severity
  • Enable the File Access Policy Service

    The File Access Policy service should be enabled. The <code>fapolicyd</code> service can be enabled with the following command: <pre>$ sudo system...
    Rule Medium Severity
  • Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.

    The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and ...
    Rule Medium Severity
  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...
    Group
  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules